in a nutshell
The EU’s Digital Operational Resilience Act (DORA) aims to promote, improve and ensure operational resilience within the financial services sector. Financial institutions must comply with a number of mandates designed to help their lines of business maintain operational resilience against a variety of risks. “Operational resilience” means the ability to resist, recover from, and adapt to adverse effects that may disrupt or prevent the provision of services. DORA also imposes specific obligations on certain ICT service providers that it deems “critical”. These providers will fall within the new direct regulatory oversight regime.
- Impact on financial institutions
- Important third-party monitoring system
- Indirect impact on ICT providers
- next step
DORA will be published in the official journal of the European Union on 27 December 2022 and will enter into force on 16 January 2023. A landmark piece of legislation that imposes powerful new obligations on both financial institutions and critical third-party providers, DORA requires new systems and services. Controls, risk management frameworks, policies and contractual provisions contained in ICT-focused outsourcing agreements. Given that it will take time for businesses to comply with DORA, the regulation includes a two-year implementation period, with the new regulation coming into effect on January 17, 2025.
DORA will have a major impact on financial institutions. First, financial institutions need to have a fully comprehensive ICT risk management framework. This will enable financial institutions to address ICT risks quickly, efficiently and comprehensively. At a high level, this involves businesses identifying risks, protecting ICT systems, mitigating the risk of cybersecurity incidents, detecting anomalous activity, recovering from adverse events, and providing backup and other recovery. It will be necessary to have various ICT policies, procedures and tools that allow it to be done. method is located. The framework also requires companies to assess the risks associated with third-party services and have policies to ensure that only appropriate third-party services are used. To ensure resilience to digital risks across the financial services sector, DORA applies to a very wide range of financial institutions. These include, for example, banks and investment firms, market infrastructure entities such as central exchanges and exchanges, fund managers, insurance companies, payment and e-money institutions, and other financial institutions such as credit rating agencies .
Overall responsibility for this framework and other governance obligations imposed by DORA rests with company management responsible for reviewing, approving, implementing and updating the risk management framework. This requires management to be fully aware and understand the financial institution’s use of ICT, services and risk profile of her. Companies may want to revisit how the reporting line from the ICT team to senior management actually works.
Second, DORA requires financial institutions to regularly test their operational resilience. Testing should take a risk-based approach rather than a standardized approach. Firms are expected to test against the risks most relevant to their investment services and lines of business. This is about ensuring that corporate cyber risk controls are tailored to individual businesses and not simply using “one size fits all” solutions (which regulators have previously criticized). help. However, in the event of an event such as a cyberattack, companies must record the incident and report it to the relevant regulatory authority (just as the data controller must notify the relevant data protection authority of the data breach). in a similar way). under GDPR). Incident reporting time limits will be set in an upcoming Regulatory Technical Standard (RTS).
Third, DORA requires financial institutions to include certain clauses in their contracts with third-party ICT providers. There is some overlap here with the rules imposed by the EBA’s Outsourcing Guidelines, but the rules are not entirely consistent and DORA has introduced some new requirements. Because of this difference, companies should not assume that entering into an outsourcing agreement that complies with the EBA Rules automatically guarantees compliance with DORA. Firms should take steps to map their current contracts and contract templates against the requirements imposed by DORA and ensure that any identified gaps are addressed before the end of the implementation window.
Financial institutions are not the only ones directly affected by DORA. Certain third-party ICT providers are considered significant third-party service providers under DORA and are subject to direct regulatory oversight by the lead supervisor (ESMA, one of the European Supervisory Authorities (ESA), EIOPA or EBA). subject to It is the ESA’s job to assess who the material third parties are, but ICT providers can submit them during the process.
DORA should base its assessment on a number of factors, including:
- The systemic impact on the stability, continuity, or quality of financial service delivery when relevant ICT third-party service providers face major operational disruptions in delivering their services
- The systemic features or importance of financial institutions that rely on relevant ICT third-party service providers. In particular, we will focus on: -SIIs) or other systemically important institutions (O-SIIs); (ii) the interdependence of these financial institutions. The issue DORA is trying to address here is that if ICT companies serve large banks, failures or disruptions on the part of ICT providers are far more likely to have systemic impacts on the European financial sector. is higher than Risk of contagion among these banks as a result of ‘interdependence’.
- Reliance of financial institutions on services provided by relevant ICT third-party service providers in relation to critical or essential functions (As a result of EBA guidelines, banks and ICT firms alike are familiar with this test be careful)
- Degree of substitutability between the relevant ICT provider and other providers. This includes where providers can be replaced with catalogs from other providers and ease of data migration.
The specific evaluation criteria will be set out in an upcoming delegated act that the Commission is authorized to adopt by July 17, 2024. In seeking advice, the Committee requested technical assistance on a precise, detailed and complete set of indicators of a qualitative and quantitative nature for each of the relevant DORA standards, including the minimum thresholds that may apply. asked for an opinion. In addition, the Commission also requested information about monitoring fees charged to significant third-party service providers. This includes the estimated costs that the lead supervisor will incur in performing their role and guidance on how to calculate turnover so that a proportionate supervision fee can be charged. identified. The ESA technical advice deadline is September 30, 2023.
Specific monitoring requirements will also be set in the upcoming RTS. Requirements are expected to include, among others:
- Establish an EU subsidiary within 12 months of the outcome of the assessment in which the ICT provider is designated as material. However, please note the following: (ii) the requirement to set up a subsidiary in the EU is not intended to prevent an ICT provider from providing his ICT services from his facilities and infrastructure located outside the EU; (iii) DORA does not appear to set any capital or substance requirements for EU subsidiaries (i.e. the subsidiary in question actually conducts his ICT business or holds a certain level of assets). doesn’t seem necessary).
- Operational resilience requirements such as testing
- Conducting thorough due diligence on designated subcontractors
- Record keeping and reporting obligations
- Ensure appropriate ICT security requirements and measures are in place
- Respond to information requests raised by supervisors in full compliance with the parameters of the request
- Cooperate with an investigation by the Chief Superintendent
- Payment of supervision fee
DORA requires ESA to submit to the Commission a draft RTS on the implementation of surveillance activities by 17 July 2024.
Even if the ICT provider is not designated as a significant third party provider, ICT providers contracting with financial institutions should review their existing contracts and financial services addendum templates against DORA’s mandatory requirements to determine how You should consider whether any further updates may be required.
There could also be a ‘second wave’ of ICT providers that would later be subject to supervisory oversight once the regime settles down.
If you are a financial institution and need help ensuring your company is DORA compliant before the implementation period ends, our experts are ready to help. Similarly, if you are an ICT provider and want to understand what DORA means to you, or are concerned that you may be considered a “critical” provider and subject directly to financial services regulation, If so, we can help you run DORA. impact research. If you need further assistance, please contact the DORA lead above.